> From: Artur Hecker [mailto:[EMAIL PROTECTED]] > Sent: den 19 november 2002 20:27 > To: [EMAIL PROTECTED] > Subject: Re: eap_identity or username attribute?
> i only wanted to say, that the certified identity could be e.g. > [EMAIL PROTECTED] so, the eap-id would carry [EMAIL PROTECTED] each AP > should basically put this value into User-Name, so it would be > [EMAIL PROTECTED] again. We could verify that for both > authentication and > authorization the three fields are the same, certificate = eap-id = > User-Name. Right. I don't think it is standardized how to check that the identity/user-name corresponds to the certificate, so one would probably just base the check on what Win XP does. > now the server receiving the request from the AP happens to be in > visited.com. so it has to proxy the request to the home.com radius > server. it could happen, that home.com (being some huge ISP) > demands a > stripped user-name, i.e. simply kevin. so the server at visited.com > would strip it, but in the User-Name only, since the > EAP-Message is not > considered when proxying. Now home.com, when running > freeradius, would > state that the three attributes mentioned before are *not* > the same and > would reject, right? or did i misget your point? I see your point, but I just don't think it makes sense to demand a stripped User-Name when using certificates for authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
